Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Determine minimum capabilities required for perf event arrays #85

Open
anfredette opened this issue Aug 2, 2024 · 1 comment
Open

Determine minimum capabilities required for perf event arrays #85

anfredette opened this issue Aug 2, 2024 · 1 comment
Assignees
@dave-tucker
Milestone
Q4-2024

Comments

@anfredette
Copy link
Contributor

anfredette commented Aug 2, 2024
edited
Loading

For other map types, applications using bpfman can run in unprivileged mode; however, perf event arrays require some capabilities. What is the minimum set of Linux capabilities required for a pod to access a perf event array mounted by bpfman? It was expected that CAP_PERFMON would be sufficient, but it doesn't seem to work without a privileged pod.

Is this a kernel bug, just the way it is, or something unique in the way that the Cillium code accesses the maps?

Since one of the goals of bpfman is to allow eBPF-based applications to drop capabilities, we need to understand how it works now and whether anything can be done in the future.
@anfredette
Copy link
Contributor Author

@msherif1234 can you add any more details about what you saw?

@anfredette anfredette added this to the Q3-2024 milestone Aug 8, 2024
@anfredette anfredette modified the milestones: Q3-2024, Q4-2024 Oct 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dave-tucker dave-tucker

Labels
None yet
Projects
bpfman
Status: 🆕 New
Milestone
Q4-2024
Development

No branches or pull requests
2 participants
@anfredette @dave-tucker